diff --git a/runtime/reference/cli/env_variables.md b/runtime/reference/cli/env_variables.md
index e76cbbf4b..9b9d1ba64 100644
--- a/runtime/reference/cli/env_variables.md
+++ b/runtime/reference/cli/env_variables.md
@@ -1,10 +1,18 @@
---
-last_modified: 2024-10-07
+last_modified: 2026-05-20
title: "Configuring Deno behavior"
---
There are several environment variables which can impact the behavior of Deno:
+### DENO_AUDIT_PERMISSIONS
+
+Audit every permission access (allowed or denied). Set to a file path to write a
+JSONL audit log, or to the literal value `otel` to emit each access as an
+OpenTelemetry log record via the configured exporter. See
+[permissions](/runtime/fundamentals/security/#permission-flags) for the field
+set and the OTel attribute names.
+
### DENO_AUTH_TOKENS
A list of authorization tokens which can be used to allow Deno to access remote
@@ -86,6 +94,14 @@ permission to read the environment variables by checking the value of
Indicates hosts which should bypass the proxy set in the other environment
variables. See the [Proxies](#proxies) section for more information.
+### NODE_EXTRA_CA_CERTS
+
+Path to a PEM file with extra certificate authorities. Loaded at the root
+certificate store level, so the certs are honored by `fetch()`,
+`Deno.connectTls()`, and the Node compat APIs (`node:https`, `node:tls`).
+Available in Deno 2.8+. Missing or invalid files emit a warning rather than
+failing, matching Node.js semantics.
+
### NPM_CONFIG_REGISTRY
The npm registry to use when loading modules via
diff --git a/runtime/reference/env_variables.md b/runtime/reference/env_variables.md
index e905b3087..a79ba3ffb 100644
--- a/runtime/reference/env_variables.md
+++ b/runtime/reference/env_variables.md
@@ -138,26 +138,27 @@ examples.
The Deno runtime has these special environment variables.
-| name | description |
-| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| DENO_AUTH_TOKENS | A semi-colon separated list of bearer tokens and hostnames to use when fetching remote modules from private repositories
(e.g. `abcde12345@deno.land;54321edcba@github.com`) |
-| DENO_TLS_CA_STORE | Comma-separated list of order dependent certificate stores.
Possible values: `system`, `mozilla`. Defaults to `mozilla`. |
-| DENO_CERT | Load certificate authority from PEM encoded file |
-| DENO_COVERAGE_DIR | Set the directory for collecting coverage profile data. This option only works for [`deno test` subcommand](/runtime/reference/cli/test/). |
-| DENO_DIR | Set the cache directory |
-| DENO_INSTALL_ROOT | Set deno install's output directory (defaults to `$HOME/.deno/bin`) |
-| DENO_REPL_HISTORY | Set REPL history file path History file is disabled when the value is empty
(defaults to `$DENO_DIR/deno_history.txt`) |
-| DENO_NO_PACKAGE_JSON | Disables auto-resolution of `package.json` |
-| DENO_NO_PROMPT | Set to disable permission prompts on access
(alternative to passing `--no-prompt` on invocation) |
-| DENO_NO_UPDATE_CHECK | Set to disable checking if a newer Deno version is available |
-| DENO_V8_FLAGS | Set V8 command line options |
-| DENO_JOBS | Number of parallel workers used for the `--parallel` flag with the test subcommand.
Defaults to number of available CPUs. |
-| DENO_KV_ACCESS_TOKEN | Personal access token used when connecting to Deno KV databases (for example via [`Deno.openKv`](/api/deno/~/Deno.openKv) or `@deno/kv` with a KV Connect URL). |
-| DENO_AUDIT_PERMISSIONS | Audit every permission access. Set to a file path to write JSONL, or to the literal value `otel` to emit OpenTelemetry log records via the configured OTel exporter. See [permissions audit](/runtime/fundamentals/security/#permission-flags) for the field set. |
-| DENO_WEBGPU_TRACE | Path to a directory to output a [WGPU trace](https://github.com/gfx-rs/wgpu/pull/619) to when using the WebGPU API |
-| DENO_WEBGPU_BACKEND | Select the backend WebGPU will use, or a comma separated list of backends in order of preference. Possible values are `vulkan`, `dx12`, `metal`, or `opengl` |
-| HTTP_PROXY | Proxy address for HTTP requests (module downloads, fetch) |
-| HTTPS_PROXY | Proxy address for HTTPS requests (module downloads, fetch) |
-| NPM_CONFIG_REGISTRY | URL to use for the npm registry. |
-| NO_COLOR | Set to disable color |
-| NO_PROXY | Comma-separated list of hosts which do not use a proxy (module downloads, fetch) |
+| name | description |
+| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| DENO_AUTH_TOKENS | A semi-colon separated list of bearer tokens and hostnames to use when fetching remote modules from private repositories
(e.g. `abcde12345@deno.land;54321edcba@github.com`) |
+| DENO_TLS_CA_STORE | Comma-separated list of order dependent certificate stores.
Possible values: `system`, `mozilla`. Defaults to `mozilla`. |
+| DENO_CERT | Load certificate authority from PEM encoded file |
+| NODE_EXTRA_CA_CERTS | Path to a PEM file with extra certificate authorities. Loaded at the root certificate store level, so the certs are honored by `fetch()`, `Deno.connectTls()`, and Node compat APIs (`node:https`, `node:tls`). Available in Deno 2.8+. Missing or invalid files emit a warning rather than failing, matching Node.js. |
+| DENO_COVERAGE_DIR | Set the directory for collecting coverage profile data. This option only works for [`deno test` subcommand](/runtime/reference/cli/test/). |
+| DENO_DIR | Set the cache directory |
+| DENO_INSTALL_ROOT | Set deno install's output directory (defaults to `$HOME/.deno/bin`) |
+| DENO_REPL_HISTORY | Set REPL history file path History file is disabled when the value is empty
(defaults to `$DENO_DIR/deno_history.txt`) |
+| DENO_NO_PACKAGE_JSON | Disables auto-resolution of `package.json` |
+| DENO_NO_PROMPT | Set to disable permission prompts on access
(alternative to passing `--no-prompt` on invocation) |
+| DENO_NO_UPDATE_CHECK | Set to disable checking if a newer Deno version is available |
+| DENO_V8_FLAGS | Set V8 command line options |
+| DENO_JOBS | Number of parallel workers used for the `--parallel` flag with the test subcommand.
Defaults to number of available CPUs. |
+| DENO_KV_ACCESS_TOKEN | Personal access token used when connecting to Deno KV databases (for example via [`Deno.openKv`](/api/deno/~/Deno.openKv) or `@deno/kv` with a KV Connect URL). |
+| DENO_AUDIT_PERMISSIONS | Audit every permission access. Set to a file path to write JSONL, or to the literal value `otel` to emit OpenTelemetry log records via the configured OTel exporter. See [permissions audit](/runtime/fundamentals/security/#permission-flags) for the field set. |
+| DENO_WEBGPU_TRACE | Path to a directory to output a [WGPU trace](https://github.com/gfx-rs/wgpu/pull/619) to when using the WebGPU API |
+| DENO_WEBGPU_BACKEND | Select the backend WebGPU will use, or a comma separated list of backends in order of preference. Possible values are `vulkan`, `dx12`, `metal`, or `opengl` |
+| HTTP_PROXY | Proxy address for HTTP requests (module downloads, fetch) |
+| HTTPS_PROXY | Proxy address for HTTPS requests (module downloads, fetch) |
+| NPM_CONFIG_REGISTRY | URL to use for the npm registry. |
+| NO_COLOR | Set to disable color |
+| NO_PROXY | Comma-separated list of hosts which do not use a proxy (module downloads, fetch) |